Use the timeline to investigate events
The timeline is a visual representation of the number of events that occur at each point in time. It shows the distribution of events over time. Mouseover a bar to see the count of events. Click on a bar to drill-down to that time. Drilling down in this way does not run a new search, it just filters the results from the previous search. You can use the timeline to highlight patterns or clusters of events or investigate peaks (spikes in activity) and lows (possible server downtime) in event activity.
Change the timeline format
The timeline is located in the Events tab above the events listing.
Format options are located in the Format Timeline menu:
You can hide the timeline (Hidden) and display a Compact or Full view of it. You can also toggle the timeline scale between linear (Linear Scale) or logarithmic (Log Scale).
For example, the following is the Full view:
In this view, the timeline is taller and displays the count on the y-axis and time on the x-axis.
Zoom in and zoom out to investigate events
Zoom and selection options are located above the timeline. At first, only the Zoom Out option is available.
When you mouse over and select bars in the timeline, the Zoom to Selection or Deselect options become available.
The timeline legend is on the top right corner of the timeline. This indicates the scale of the timeline. For example, 1 minute per column indicates that each column represents a count of events during that minute.
Zooming in and out changes the time focus. For example, if you click Zoom Out the legend will indicate that each column now represents an hour instead of a minute.
When you click and drag your mouse over one or a cluster of bars in the timeline, the events list updates to display only the events that occurred in that selected time range.
You can cancel this selection by clicking Deselect.
When you Zoom to Selection, you filter the results of your previous search for your selected time period. The timeline and events list update to show the results of the new search.
You can't Deselect, once you've zoomed into the selected time range. But, you can Zoom Out again.
Classify and group similar events
About time ranges in search
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14